Flying Dragon Eye: Uyghur Themed Threat Activity

This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older – CVE-2012-0158 – and from our vantage point, we have no indication of successful or failed exploitation. Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors. Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names. The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.

It is possible that additional targeting well beyond CVE-2012-0158 is at play, although in this case it appears that threat actors still thought they could obtain benefit from using a four-year-old vulnerability that has been widely associated with numerous cyber-espionage operations over the years. This may be due to the weakness of defensive posture among those targeted and an attempt at higher return on investment by using exploit code that might still be adequate considering the targets. Pivots on threat infrastructure suggest that the same or related threat actors have direct or indirect access to other types of exploit code such as the “Four Element Sword” builder and the numerous types of malware delivered with it (PlugX, 9002 RAT 3102 variant, T9000, Grabber, Gh0st RAT LURK0 variant and perhaps others), profiled in previous ASERT threat intelligence products.